Attack on Amnesty International Staffer Using Israeli-Made Spyware May Be Part of Broad Surveillance Campaign

An investigation published Wednesday by the London-based Amnesty International revealed that one of the group’s staffers was “targeted by a sophisticated surveillance campaign, in what the organization suspects was a deliberate attempt to spy on its staff by a government hostile to its work,” using a tool developed by the Israeli cyber intelligence firm NSO Group.

In early June—while Amnesty was campaigning for the release of six women’s right activists jailed in Saudi Arabia—a staff member received an anonymous message in Arabic on the smartphone application WhatsApp from someone who claimed their brother was detained in Saudi Arabia and requested that the group “cover” a protest in front of the Saudi embassy in Washington, D.C.

Through its investigation, Amnesty discovered that if the staffer had clicked a link included in the message, they would have unknowingly installed NSO Group’s “extraordinarily invasive” Pegasus program on their smartphone.

As Joshua Franco, Amnesty International’s head of technology and human rights, explained, “a smartphone infected with Pegasus is essentially controlled by the attacker—it can relay phone calls, photos, messages, and more directly to the operator.”

“NSO Group is known to only sell its spyware to governments. We therefore believe that this was a deliberate attempt to infiltrate Amnesty International by a government hostile to our human rights work,” Franco said. “This chilling attack on Amnesty International highlights the grave risk posed to activists around the world by this kind of surveillance technology.”

A malicious WhatsApp message with #SaudiArabia-related bait content, carrying links we believe are used to infect victims with highly sophisticated mobile spyware, were sent to our staff member. Read our full investigation here. https://t.co/TkzSMp8BXG

Amnesty also found that another Saudi Arabia rights activist had received a similar message, and subsequent investigations “revealed that the domain link in the message belongs to a large infrastructure of more than 600 suspicious websites which had been previously connected to NSO Group.” The group expressed concern that this apparent scheme “could be used to bait and spy on activists in countries including Kenya, Democratic Republic of Congo, and Hungary, in addition to the Gulf.”

“The message sent to us seems to be part of a much broader surveillance campaign, which we suspect is being used to spy on human rights activists worldwide and prevent their vital work,” Franco warned. “We are working with human rights activists to help them protect themselves against similar cowardly attacks, and ensure that abusive governments cannot use technology to silence them.”

In a statement to Amnesty, NSO Group said the company “develops cyber technology to allow government agencies to identify and disrupt terrorist and criminal plots. Our product is intended to be used exclusively for the investigation and prevention of crime and terrorism. Any use of our technology that is counter to that purpose is a violation of our policies, legal contracts, and the values that we stand for as a company.”